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Introduction 


The Information Commissioner is producing a direct marketing code 
of practice, as required by the Data Protection Act 2018. A draft of 
the code is now out for public consultation. 


The draft code of practice aims to provide practical guidance and 
promote good practice in regard to processing for direct marketing 
purposes in compliance with data protection and e-privacy rules. 
The draft code takes a life-cycle approach to direct marketing. It 
starts with a section looking at the definition of direct marketing to 
help you decide if the code applies to you, before moving on to 
cover areas such as planning your marketing, collecting data, 
delivering your marketing messages and individuals rights. 


The public consultation on the draft code will remain open until 4 
March 2020.The Information Commissioner welcomes feedback on 
the specific questions set out below. 


You can email your response to directmarketingcode@ico.org.uk 
Or print and post to: 


Direct Marketing Code Consultation Team 
Information Commissioner’s Office 
Wycliffe House 

Water Lane 

Wilmslow 

Cheshire SK9 5AF 


If you would like further information on the consultation, please 
email the Direct Marketing Code team. 


Privacy statement 


For this consultation we will publish all responses received from 
organisations except for those where the response indicates that they 
are an individual acting in a private capacity (eg a member of the 
public). All responses from organisations and individuals acting in a 
professional capacity (eg sole traders, academics etc) will be published 
but any personal data will be removed before publication (including 
email addresses and telephone numbers). 


For more information about what we do with personal data please see 
Our privacy notice 


Q1 Is the draft code clear and easy to understand? 


O Yes 
xX No 


If no please explain why and how we could improve this: 


_ Generally - but we have noted some specific changes and difficulties in our separate 
addendum. 
It is rather long to be easily navigable for someone with limited expertise. 


In general our answers would be not always rather than yes or no. 


Q2 Does the draft code contain the right level of detail? (When 
answering please remember that the code does not seek to 
duplicate all our existing data protection and e-privacy guidance) 


O Yes 

& No 
If no please explain what changes or improvements you would like to 
see? 


In places it contains too much detail where it repeats guidance to be found elsewhere: 


other places it needs a little more detail. We have set out these in our addendum 


in 


Q3 Does the draft code cover the right issues about direct marketing? 


O Yes 
No 


If no please outline what additional areas you would like to see 
covered: 


As explained in our addendum we believe that it is not so much additional areas but a 
need to try to reduce duplication. 


Q4 Does the draft code address the areas of data protection and e- 
privacy that are having an impact on your organisation’s direct 
marketing practices? 


& Yes 
O No 


If no please outline what additional areas you would like to see covered 


Q5 Is it easy to find information in the draft code? 


O Yes 
No 


If no, please provide your suggestions on how the structure could be 
improved: 


As hinted at above, we believe there is an excess of information in places, a degree of 
duplication internally and with other available advice. It might be easier if there were 


some cross referencing - and also it is important the upfront summary is consistent with 
the text. 


Q6 Do you have any examples of direct marketing in practice, good or bad, 
that you think it would be useful to include in the code 


O Yes 
LJ No 


If yes, please provide your direct marketing examples : 


Q7 Do you have any other suggestions for the direct marketing code? 


See the addendum submitted separately. 


About you 


Q8 Are you answering as: 


O An individual acting in a private capacity (eg someone 
providing their views as a member of the public) 

O An individual acting in a professional capacity 

X On behalf of an organisation 

O Other 


Please specify the name of your organisation: 
BRC - British retail Consortium 


If other please specify: 


O 
O 


How did you find out about this survey? 


ICO Twitter account 

ICO Facebook account 

ICO LinkedIn account 

ICO website 

ICO newsletter 

ICO staff member 

Colleague 

Personal/work Twitter account 
Personal/work Facebook account 
Personal/work LinkedIn account 
Other 

If other please specify: 


Thank you for taking the time to complete the survey 


EKEJI A Bp i AE 


ICO Consultation on Direct Marketing Code of Practice March 2020 
Addendum for Q7 
BRC comments based on a member meeting 


BRC represents a wide range of retailers online, bricks and mortar and omni-channel. 


In general the Code is often helpful and comprehensive — perhaps too long and too 
comprehensive. There is plenty of practical guidance on areas such as new technologies 
(though we note below this is an ever changing area), social media advertising and ‘refer a 
friend’ marketing — on all of which we raise some specific issues below. However, there are 
some respects in which the Code is somewhat draconian in its expectations on data 
controllers, some of which expectations are unrealistic and impractical. At times the Code 
seems to suggest that retailers will have to obtain multiple different consents for fairly routine 
and normal marketing activity. 

The Code is really long with a degree of repetition. It could be reduced by appropriate cross 
referencing. 

The proportion of examples relating to retail is quite high. We do welcome this but trust that 
retail is not being particularly targeted. 

We note below some very specific issues but among our key concerns are marketing of retailer 
products by third parties; consent for ‘profiling’; consent for advertising on social media; 
consent for location based direct marketing. 

It is important that the summary should be as precise as possible reflection of the text. We 
note that on page 6 there is an important difference between the summary on ‘Enforcement 
of this code’ and the substantive text on page 10. The summary states ‘If you do not follow 
this code, you will find it difficult to demonstrate that your processing complies with the GDPR 
or PECR’. The substantive text states: ‘If you do not comply with the guidance in this code, you 
may find it more difficult to demonstrate that your processing for direct marketing purposes 
is fair, lawful and accountable and complies with the GDPR and PECR’. The emphasis is rather 
different in the substantive text, suggesting there may be other ways to demonstrate 
compliance with the law whereas the summary, which is what many smaller businesses may 
read, is far more black and white. 


On page 11 the section ‘What is the status of ‘further reading’ or other linked resources?’ is 
rather ambiguous. Having said there is no duty on the Commissioner or courts to take the 
further guidance into account, it then states that any ICO Guidance inevitably reflects the 
Commissioner’s views. We believe this could be made clearer. If the guidance to which the 
reader is directed is unlikely to be taken into account, it might be better to omit the link or 
explain it further. 


Also on page 11 there is mention of EDPB Guidance. This requires further explanation as to 
the future status of the EDPB and its Guidance and whether the !CO will regard it as fully 
applicable to the UK or not. 


On page 13 et seq in the section Does the code apply to us, there is a perception that the ICO 
is rather stretching the interpretation further than in the EU, in particular in the sentence 
‘direct marketing purposes include all processing activities that lead up to, enable or support 
the sending of direct marketing’. This seems to go beyond the relevant legal definitions and 
could be interpreted far more widely than ‘communication’ of advertising or marketing 
material to include, for example, ISPs and the Post office activity. It should be pared back to 
‘sending of direct marketing’. Indeed the Code suggests on page 14 that direct marketing 
purposes do indeed go beyond the sending of direct marketing to include all the steps prior 
to that. However, while those activities may well be subject to the GDPR etc, we do not believe 
that in themselves they are direct marketing activity. The Code could be shortened if these 
activities were omitted or be made clearer if they were in a separate section dealing with 
associated activity that is subject to the dpa/pecr but is not in itself direct marketing. 


It should be stated up front which activities, and who, are caught by PECR. 

On page 17, the example provided at page 41 about a new product launch is a better example 
of solicited marketing. We do not believe that being approached for a quote is ‘marketing’ but 
a fulfilment of a request for information about the services (provided by a retailer or vendor) 
that may lead to the parties entering into a contract for services. By the same token a 
tendering exercise would be another example of solicited marketing and should be made clear 
that it is not only applicable to double glazing firms etc. 

Under the section on sugging on page 18, the use of the word ‘rules’ in reference to direct 
marketing rules is questioned. It is important in a statutory code to be using words in a strict 
manner and the view is that the so called rules are in fact guides. 

The definition of sugging says if the call or message includes any promotional material the 
message is for direct marketing purposes BUT an earlier reference under the heading ‘what 
are direct marketing purposes’ has a more purposive approach eg it references the ultimate 
aim of processing. What about a survey sent by email which is genuine — but if links to a 
website are included then it becomes marketing even if this is not the ‘ultimate aim’. 

On page 18, there is a bit of confusion about the ultimate aims of processing. This is a different 
issue from direct marketing per se. 

The section on page 19 et seq could be expanded with more examples. We believe the value 
of the communication to the customer should be taken into account and the distinction 
should not be too black and white. Thus the line between a service message and a promotion 
seems to be out of proportion. For example, saying it would be good to see you again is not 
in our view a promotion but to engage with the consumer. The failure to make a service 
message appealing to the customer is counter-productive. The reference to ‘phrasing, tone 
and context’ is not helpful. A service message does not need to look and sound awful. 

Is the inclusion of a website link to service information a service or promotion? In the old 
guidance there was a significance test on links back to a website that has gone. There is no 
longer, it seems, a grey line where one can link back to a sale. Indeed it seems that the service 
message must be so totally bland that the customer may not even bother to read something 
potentially significant. What should be important is the content not the tone. This follows 
through to the example on page 22 of the GP. We find it very difficult to distinguish the 
difference between the two messages — both seem to serve a public interest service that 
should be taken into account and in any case these messages tend to go to patients with 
specific care needs rather than every patient. 


In other areas, the number of claims is growing and many cases refer to the codes. The 
controller needs to look at the law not a stretched explanation. 

On page 19, the example of a bank placing a call to a customer is not realistic. Banks actually 
warn customers to be wary of such calls. 

On page 20, there should be an example of a regulatory communication where the direct 
marketing provisions of the GDPR and PECR may apply. This will be particularly helpful when 
the basis of the communication is to promote competition. 

At the third paragraph on Page 20 the ICO explains ‘content and context of the message is 
likely to determine whether it is direct marketing, regardless of the wider public policy behind 
it’. It does not mention ‘tone’ — which may cause some confusion for controllers faced with 
deciding whether a communication is marketing or a regulatory communication or a service 
communication. Does this mean there are 3 elements to the analysis of communications? 

In the ‘at a glance’ on page 24 dealing with planning your marketing: dp by design, we 
welcome the inclusion of both consent and legitimate interest as the potential two lawful 
bases — albeit consent is clearly favoured. 


The section on page 26 et seq on ‘Are we responsible for compliance’ could be clearer with 
more examples. We are uncertain where the line is being drawn. For example, how far can a 
supermarket go in promoting shared values on csr. If a supermarket is to undertake a 
campaign with a charity who needs to check the suppression list of the producer and supplier 
and how often. Does use of the term ‘in partnership with’ mean both parties have to check 
their suppression lists thereby requiring each to exchange lists of personal data to enable the 
cross checking every time a communication is undertaken? If someone has opted out of 
advertising for a particular brand and there is to be direct marketing involving that brand, is it 
necessary to feed back to the brand to check? 

On page 27 in the last sentence of the 4" paragraph there is a reference to a ‘transparency 
agreement’. As far as we know this is not a formal term or type of agreement — but if iut is 
more should be said about it. 

On page 27 in the example there is reference to ‘where possible it would be good practice...’ 
We do not believe it is helpful to include good practice in a Code — or if it is to be included it 
should be very prominent that this is a suggestion and not part of the Code. 

On page 28, there is reference to some processing operations requiring a DPIA automatically 
in the penultimate paragraph. It would be helpful if the Code could be more precise and 
identify which require a DPIA automatically and which require one if they occur in 
combination. 

On page 30 in the section on the lawful basis for direct marketing the paragraph starting ‘Your 
choice....PECR’ is badly worded in the sense that it gives the consumer the impression that if 
using legitimate interest as the basis the consumer’s choice is somehow being taken away 
from him. It would be better to say that ’if you are using legitimate interest as the basis , then 
you have additional responsibilities...’ 

Another example of mixing good practice with a requirement in a statutory code appears on 
page 31, albeit it is clearly stated to be a good practice recommendation. However, it is not 
reasonable to suggest in a Code that those businesses that do not do this are engaged in bad 
practice. 

On page 32 in the example, we believe that if this did not refer to a charity soft ‘opt in’ could 
be used. It should be made clear the example only refers to a charity. 


On page 33, a better example would be an incentivised email marketing sign up with a money 
off or % off offer. The loyalty card example is too specific so it would be better if an example 
referred to providing an advantage from signing up rather than emphasising the disadvantage 
of not doing so. It would be helpful for an example showing how far one can go for it to be 
acceptable and not cross the line. 

On page 33 under specific and informed, the information that it is suggested is covered by 
consent is huge because if the very wide definition of ‘direct marketing purposes’ This is Art 
13 inforation but specifically set out in a consent sign up. 

On page 34, the importance and relevance of the soft opt in has been effectively downgraded. 
The way this is written the soft opt in seems to hardly be useable. 

On page 35 in the paragraph ‘It is sometimes suggested......very clear evidence of their 
preferences’ more could be said to indicate what might constitute that clear evidence. 

The example on page 36 needs a conclusion as to whether this is acceptable or not. 


On page 36 the reference to ‘vast’ amounts of personal data near the bottom of the page 
would be assisted if there were some reference to what constitutes vast. 

The ICO needs to confirm whether they see the ‘soft opt in’ as a type of consent or something 
different. If it is something different this needs to be made clear in a number of references — 
page 24 ‘However, if PECR requires consent then in practice consent will be your lawful basis 
under the GDPR’; Page 30 ‘PECR requires consent for some methods of sending direct 
marketing..... Trying to apply legitimate interests when you already have GDPR-compliant 
consent would be an entirely unnecessary exercise’; page 36 ‘Remember if PECR requires 
consent then in practice it is consent and not legitimate interests that is the appropriate legal 
basis’ ; page 37 ‘ If you believe your processing of data for direct marketing purposes is 
necessary.....you still need consent if you want to send certain types of electronic marketing 
under PECR’. 

On page 36 ‘the lack of any proactive opportunity to opt out in advance....barrier to exercising 
their data protection rights’ is again potentially difficult given the scope of ‘direct marketing 
purposes’ and what would have to be listed in a sign up journey. 

Page 38 refers to loyalty schemes. We think it needs some examples that are very clear if 
consumers are to understand where the line can be drawn. To some extent we believe the 
paragraph on page 38 ‘There may be occasions...to collect these points’ may misunderstand 
how loyalty schemes work. Indeed, the marketing pays for the points. For example, if points 
are given on every purchase, it is not tied to a marketing scheme. In another case a consumer 
may enter a loyalty scheme to get benefits or a retailer may have as the purpose of the loyalty 
scheme getting data and profiling. On the other hand if a consumer signs up to the terms and 
conditions it may be a matter of performance of contract. These scenarios need further 
consideration and examples. 

On page 41 the references re PECR to ‘for the time being’ and ‘as time passes’ need to be 
clarified to say that if a person has not been contacted for a long time and old consent is being 
relied upon that does not constitute ongoing contact. Otherwise if someone has consented to 
marketing that consent until the customer has opted out. 

Later on page 42 there is reference to 6 months as ‘good practice’ for new customers based 
on 3 party consent collection — but a Code and good practice do not necessarily mix. In any 
event what is the status of seasonal messages? 


On page 42, the recommendation to erase or anonymise data if it is no longer needed for 
direct marketing should indicate some sort of timescale for deleting their segmentation data 
when they opt out of marketing from a loyalty scheme in case they want to opt back in? 

On page 50/51 it would be helpful to have further information or examples on what is 
appropriate detail when advising people how a business wishes to use their data for direct 
marketing. ts a statement such as ‘sending direct marketing messages’ sufficient, for example? 
On page 54 in the section on asking existing customers to give contact details of their friends 
and family would seem to suggest ‘refer a friend’ schemes are ruled out. Is this the case? 

On page 56, the 4" paragraph in ‘at a glance’ does not really help. First, if a customer is not 
willing to give the extra information directly, he would be unlikely to agree to a third party 
providing them and, second, if consent is needed to obtain the additional details it would be 
more likely a business would just ask for them directly. Also the wording suggests that consent 
is required but the wording should be ‘been informed’ instead of ‘agreed’ perhaps. 

On page 58 in paragraph 5 there is a reference to ‘intrusive’ profiling. This is a new concept 
that requires explanation or an earlier reference if it is intended to cover the previous 
paragraphs. 

Consent for profiling (page 57/58)— Many large retailers create detailed profiles of customers, 
especially those in loyalty schemes consisting of contact information and other data submitted 
by customers; observed behaviour online and in store (purchasing) and inferred data. The 
Code seems to suggest that such profiling cannot be justified by ‘legitimate interests’ and 
consent is the only lawful basis. Thus retailers would need to capture a separate consent for 
profiling in addition to direct marketing’. While this could work for new customers, for existing 
customers it would require problematic reconsenting. It would be useful to know whether the 
ICO believes profiling requires a separate consent or whether this is limited to a certain type 
of profiling. 


On page 60 under can we match or append data the section that reads ‘in most 
instances....expressly agreed’ is a concern as this should only relate to direct marketing. 
Legitimate interests should be available as a legal basis for other purposes. 

Page 61/62 needs clarification where it states that individuals must provide consent to third 
parties to have their additional contact details used for direct marketing. However, when 
discussing tracing ‘in some cases individuals may express a wish for their updated contact 
details to be shared...by ticking a box or some other positive action’. Is this standard GDPR 
consent. It isunclear why there would be a different legal basis for use of contact details for 
direct marketing that have not been given to a controller when they are additional (matching 
/appending) or replacement for defunct )tracing). 

On page 72, our understanding is that the quotes from the PECR Regulation 22 only apply to 
targeting an individual. If that is correct, it should be clarified. Also there is a question as to 
whether in app messages generated by the app itself are covered by PECR. 

On page 73, the first example is not entirely clear. The issue is that the information was not 
given at the point of purchase ie the opportunity to not consent and opt out. Also the opt out 
was not included in the email. There is also the issue of using a soft opt in for similar goods 
and services. These points need amplification. 

On page 74, the references to ‘tracking pixels’ is too hard line, in our view. Some of these are 
strictly necessary. 


On page 74/80 we think that the advice on an email address overstates the position and goes 
beyond the statutory definition of personal data that is linked to ‘identifiability’. Some email 
addresses are group addresses and do not identify the recipient. 

On page 75 in the first table in point c, we believe it would be useful to add after ‘refusing’ the 
words ‘at the time the details are collected’. 

On page 76, the example about supermarket services and emails about banking or insurance 
products is debateable in that most customers are aware or becoming aware of the whole 
range of products sold by a supermarket these days. 

On page 77 in point 5, it would be wise to add the words ‘direct marketing’ to before 
‘communication’ both in the title and the first sentence — just to be totally clear. 

Pages 26/27; 82/83 Marketing of retailer products by third parties — In certain circumstances 
a third party may send direct marketing to its customers related to a retailers products or 
services without the retailer holding or processing any of the customers’ personal data. In the 
past the position has been thought to be that because the retailer is not processing data or 
sending the marketing there are no privacy law implications for the retailer. However the Code 
suggests we would need to obtain consent from the recipients as in page 26/27 (If you are 
planning electronic communications as dual branding promotion with a third party, you still 
need to comply with PECR even if you do not have access to the data that is used’. Also on 
page 82 it states ‘PECR may still apply evenif you do not send the electronic message yourself’ 
et seq. And on page 83 ‘if company a is encouraged by company b to send its marketing emails 
then both require consent from the individual under pecr’. In other words the ICO is 
suggesting the retailer is ‘instigating’ the sending of direct marketing. However, we would 
suggest that this is extending the law and that it should be for the entity sending the direct 
marketing to its own customers to ensure it has the required consent. Not only does it seem 
unnecessary for the retailer to get consent to marketing by a third party but it is difficult to 
envisage how the consent would be obtained if the retailer does not know who the customers 
are. 


On page 81/82 something should be included about the basis on which information can be 
passed on to organisations like Trust pilot to validate a review. 

On page 82 using third parties to send our direct marketing — what about a situation where a 
retailer sells a particular product and the brand then wants to promote that product to the 
retailers’ customers would the retailers consent be sufficient? 

On page 83, it needs to be clarified whether there is any problem with asking a customer to 
email friends and family with a recommendation — and possibly including the text to be sent. 
The section on page 85 et seq, entitled ‘Online advertising and new technologies’ has more of 
the character of Guidance than a Code. This whole landscape can change so quickly that there 
needs to be a capacity to update the section regularly. Ideally it would be hived off into 
separate guidance. 

On page 90, in the last paragraph, we rather believe that these days individuals do in fact 
expect processing takes place in these circumstances. We believe the paragraph should take 
this possibility into account. It is unlikely that consent wording would normally hitherto 
rferreto direct marketing via social media essaging. 

We also believe that there is an over-emphasis on consent in this space. It is difficult to keep 
getting fresh consent with new technology. 


e On page 91, the second last paragraph beginning ‘ However, you may not have any direct 
relationship...’ ls not practical. A retailer has no power to control what the targe sociat media 
giants and platforms do. Usually Facebook and Google just ignore all such requests for 
information of this type. 

e On page 72 and 95 it would be helpful to have clarity on whether push notifications are 
covered by PECR or not. In-app messages are different from messages received as 
notifications rather than in the app itself. 

e The Guidance on page 96 needs to go further. The principles for mobile IDs are the same as 
for cookies and similar technologies and the Adtech industry will proceed along the old status 
quo if they are ted to believe there is any room for them to be treated differently from cookies. 

e On page 96 the code appears to suggest that consent is required for any geo-location based 
direct marketing. !s this so? 

e The section on Individual Rights starting on page 105 is unnecessary in a Direct Market Code 
and could be omitted to reduce the length with a reference to SARS being substituted. 

e Overall there are references to only PECR applying or only one of PECR or GDPR but surely if 
the Code relates to Direct marketing the GDPR always applies? 


Contact: HO brc.org. uk 


